We compare password managers whose source code is publicly auditable. Open source does not guarantee security by itself, but it allows independent reviews and reduces lock-in. Here are the ones we tested.
1Open-source password manager with a generous free tier and self-hosting option.
2Free and paid password manager from Proton with hide-my-email aliases and end-to-end encryption.
3Free, open-source local password manager. No cloud, no account. You hold the database file.
Open source password managers are applications whose source code is publicly available for anyone to read, audit, and in many cases modify. Unlike closed-source products like 1Password or LastPass, where the company keeps the code private, open source projects publish their code on platforms like GitHub. This transparency does not automatically make a product more secure, but it allows security researchers, universities, and independent auditors to verify that the software does what it claims: especially how it encrypts your data, how it syncs across devices, and whether it sends any information to third parties.
The three open source password managers we recommend and have tested in depth are Bitwarden, Proton Pass, and KeePass. Bitwarden and Proton Pass are cloud-based: your encrypted vault is stored on their servers (or your own, in Bitwarden’s case) and syncs across your devices. KeePass is different: it is local-only. There is no account, no cloud, and no subscription. You keep a single encrypted file (typically with a .kdbx extension) and sync it yourself via Dropbox, a NAS, a USB key, or nothing at all. Each model has trade-offs, and we explain below who should choose which.
When you entrust your passwords to a piece of software, you are relying on two things: that the encryption is implemented correctly, and that the vendor is not doing something harmful with your data (whether by design or because of a bug). With closed-source software, you only have the vendor’s word and, if they have commissioned one, a summary of a security audit. You cannot see for yourself how the master password is derived, how the vault is encrypted, or whether any telemetry is sent.
With open source password managers, anyone can inspect the code. Independent security firms like Cure53 and Trail of Bits have audited Bitwarden and Proton Pass; their reports are public. Researchers and users can check that the encryption (e.g. AES-256, XChaCha20) is applied correctly, that the zero-knowledge architecture is real, and that there are no backdoors or unexpected network calls. Open source also makes it harder for a company to quietly change behaviour: significant changes are visible in the repository. That does not mean every user will read the code, but the possibility creates accountability and has repeatedly led to vulnerabilities being found and fixed.
We moved away from LastPass after their 2022 breach. One of the reasons we now recommend Bitwarden and Proton Pass for users who care about transparency is that their code can be audited. KeePass has been open source for years and has no server at all: so there is no central target for attackers. For security-conscious users, developers, and organisations that need to justify their tooling, open source password managers offer a level of verifiability that closed-source products simply cannot.
Bitwarden is the most established open source password manager we recommend. Launched in 2016, it offers a generous free tier: unlimited passwords, unlimited devices, a password generator, browser extensions, and core two-factor authentication. You can use it for years without paying. The Premium tier costs about $1.66 per month (billed annually) and adds the built-in authenticator (TOTP), 1 GB of file attachments, vault health reports, emergency access, and a phishing blocker. Bitwarden is written in C# and TypeScript; the source code is on GitHub and has been audited multiple times.
A major advantage of Bitwarden is self-hosting. You can run the official Bitwarden server on your own infrastructure, or use Vaultwarden, a lightweight, community-maintained implementation that is compatible with Bitwarden clients. If you want full control of your data and have basic sysadmin skills, this is a strong option. Bitwarden also has family and business plans (Families, Teams, Enterprise) with sharing, policies, and SSO. For developers, there is a CLI and an API. We use Bitwarden for a secondary vault and have tested it on Windows, macOS, Android, iOS, and in Chrome and Firefox. The interface is functional and dense; it is less polished than 1Password but more flexible and affordable.
Proton Pass is the password manager from Proton, the company behind Proton Mail and Proton VPN. Launched in 2023, it is newer than Bitwarden but benefits from Proton’s focus on privacy and end-to-end encryption. The free tier is generous: unlimited passwords, unlimited devices, and 10 hide-my-email aliases (masked addresses that forward to your real inbox). Pass Plus, at about €2.99 per month (billed annually), adds unlimited aliases, built-in two-factor authentication (TOTP), dark web monitoring, secure sharing, and emergency access.
Proton Pass is open source and has been audited. It uses the same zero-access architecture as Proton Mail: your vault is encrypted on your device before it is sent to Proton’s servers, so Proton cannot read it. If you already use Proton Mail or Proton VPN, having one account for email and passwords is convenient. The interface is clean and modern. Passkeys are supported. There is no self-hosting option: you use Proton’s infrastructure: but for users who want a privacy-focused, open source manager with hide-my-email built in, Proton Pass is an excellent choice. We tested it on Windows, Android, and in Chrome and Firefox; import and autofill worked well.
KeePass is the classic local-only password manager. First released in 2003, it is free, open source, and has no account, no cloud, and no subscription. You create a database file (usually .kdbx), protect it with a master password and optionally a key file, and that file is yours. You can store it only on one device, or sync it yourself via Dropbox, Nextcloud, Syncthing, a NAS, or a USB stick. No company holds your data; there is no server to breach.
KeePass supports AES-256 and ChaCha20. The official app is for Windows; for other platforms you use community ports such as KeePassXC (Windows, Mac, Linux), KeePass2Android (Android), and Strongbox or KeePassium (iOS). These add-ons provide browser integration, TOTP support, and a cleaner UI. The trade-off is that you manage sync and updates yourself. There is no built-in family or business tier; sharing means sharing the file or using a third-party method. KeePass is ideal for technical users, privacy maximalists, and anyone who wants zero dependency on a vendor. We use it for a fully offline vault and have tested KeePassXC and KeePass2Android.
We used each of these managers as our primary or secondary vault for at least two weeks. We imported real password databases (from 80 to 200 entries) from CSV or from other managers and checked that URLs, usernames, and passwords were mapped correctly. We tested autofill on a mix of sites: banking, Google, GitHub, random SaaS tools, and sites with non-standard login forms. We tried the mobile apps on Android and iOS, including the Autofill Framework and any accessibility fallbacks. We enabled two-factor authentication (YubiKey where supported) and verified recovery flows.
For Bitwarden we ran a self-hosted Vaultwarden instance and confirmed that the official clients connect and sync without issues. For Proton Pass we created hide-my-email aliases and checked that mail was forwarded correctly. For KeePass we used KeePassXC on Windows and KeePass2Android on Android, syncing the .kdbx file via a cloud folder. Our ranking and recommendations are based on security (encryption, audits, zero-knowledge), day-to-day usability, features that matter (passkeys, breach alerts, sharing, self-hosting), and value for money.
All three managers we recommend use strong encryption and a zero-knowledge (or local-only) model. Bitwarden uses AES-256-CBC with HMAC; the code has been audited by Cure53 and others, and the reports are public. Proton Pass uses end-to-end encryption and has been audited; Proton publishes transparency reports and is based in Switzerland. KeePass does not send your data anywhere; the database is encrypted on your machine with AES-256 or ChaCha20, and the project has been audited over the years.
Open source does not guarantee that a product is secure: bugs and misconfigurations can exist in any codebase. But it does mean that such issues can be found and fixed by the community and by professional auditors. We recommend that you use a strong, unique master password, enable two-factor authentication where available (Bitwarden and Proton Pass support hardware keys), and keep your software updated. For KeePass, use a key file as a second factor and store it only on devices you control.
Bitwarden is the only one of the three that lets you self-host a full sync server. You can run the official Bitwarden server (more resource-intensive) or Vaultwarden (lightweight, compatible with Bitwarden clients) on your own VPS or hardware. All your vault data then stays on infrastructure you control. This is useful for organisations that must comply with strict data residency or security policies, or for individuals who do not want to depend on a third-party cloud. The downside is that you are responsible for backups, updates, and availability.
Proton Pass and KeePass do not offer self-hosting of the sync layer. Proton Pass uses Proton’s servers; your data is encrypted before it leaves your device, but you cannot run the backend yourself. KeePass has no backend: you sync the .kdbx file yourself (e.g. via Nextcloud, Dropbox, or Syncthing). So the choice is: cloud sync managed by the vendor (Proton), cloud or self-hosted sync (Bitwarden), or local-only with manual sync (KeePass). Each has a place depending on how much control and convenience you want.
Closed-source password managers like 1Password and Dashlane can be excellent. They often have more polished interfaces, more hand-holding for non-technical users, and features like Travel Mode (1Password) or integrated VPN (Dashlane). They commission audits and publish summaries. What you do not get is the ability to verify the code yourself or to run the server yourself (except in 1Password’s enterprise self-hosted offering). For many users that is an acceptable trade-off.
Open source password managers appeal to users who want transparency, the option to self-host (Bitwarden), or the ability to use a product with no account and no cloud (KeePass). The trade-off can be a less polished UI (Bitwarden), a smaller ecosystem (Proton Pass), or more setup and responsibility (KeePass). We recommend both types depending on the use case. If you prioritise verifiability, cost, or control, the open source options we list here are the ones we use and recommend.
Passkeys are the FIDO2-based replacement for passwords: you sign in with your face, fingerprint, or device PIN, and the cryptographic key stays on your device. Phishing is much harder because there is no password to steal. Bitwarden and Proton Pass both support storing and autofilling passkeys; KeePass can store them in the database, but the experience is less integrated than in cloud managers. As more sites adopt passkeys, your password manager will increasingly be the place for both passwords and passkeys. All three open source options we recommend are moving in that direction.
Choose Bitwarden if you want the best free tier (unlimited devices, no time limit), the option to self-host, or the most mature open source ecosystem (CLI, API, family and business plans). Choose Proton Pass if you want hide-my-email built in, already use Proton Mail or Proton VPN, or prefer a cleaner, newer interface and Swiss jurisdiction. Choose KeePass if you want no account and no cloud, full control of your database file, and are comfortable managing sync and optional plugins (KeePassXC, KeePass2Android) yourself.
You can also use more than one: for example, Bitwarden or Proton Pass for everyday use and KeePass for a separate, fully offline vault. We do not recommend mixing the same credentials across multiple managers without a clear reason; pick one as primary and use the others only for specific use cases (e.g. travel, backup) if needed.
Open source password managers give you transparency and, in Bitwarden’s case, the option to self-host or stay on a generous free tier. Bitwarden, Proton Pass, and KeePass are the three we recommend and have tested. Bitwarden is best for most people who want open source: free on unlimited devices, or cheap Premium, with optional self-hosting. Proton Pass is best if you want privacy-focused design and hide-my-email in one place. KeePass is best if you want zero cloud and zero vendor dependency. Pick one, import your passwords, turn on 2FA where available, and you will be in good shape. Any of these three is far better than reusing passwords or storing them in a spreadsheet.
